xorist | 2443e9a982e62ad116f871f7133e9276d48f1c84a0663c17d6a6a1348efdd552

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
07-10-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
Size

39KB
MD5

1def9a900a56445340184d0403357d4f
SHA1

40cc24cc783e687dd53d32d13309df5fe0248493
SHA256

2443e9a982e62ad116f871f7133e9276d48f1c84a0663c17d6a6a1348efdd552
SHA512

285cfe35b74faf5bafdb9907cf9bf73fba8b213fa27bed883e1a400767c6b8a612b2028c0d222af20899e1936277673885a58a3a2f9b038d2c750e2afdb3b226
SSDEEP

384:LWwB/3N38titKkpAqonT6lri3qYvjSQTsq2AMB:Bc5kpZoTLaY7ZAF

Score

10^/10

xorist discovery persistence ransomware spyware stealer upx

Malware Config

Signatures

Detected Xorist Ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/2660-0-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2660-8896-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist
behavioral1/memory/2660-9119-0x0000000000400000-0x000000000040C000-memory.dmp	family_xorist

Xorist Ransomware
Xorist is a ransomware first seen in 2020.
ransomware xorist
Renames multiple (2211) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\it-IT\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Alcmeter = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7VsEs5EZs7IxXFr.exe"	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\mchgr.inf_amd64_neutral_407146dba80d1566\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wdi\perftrack\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\it-IT\Licenses\eval\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\eval\Starter\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\averhbh826_noaverir_x64.inf_amd64_neutral_2fe3b14136d6e46d\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-RasServer-MigPlugin\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmnttd6.inf_amd64_neutral_ce587aa61510da51\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\OEM\HomeBasicE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_execution_policies.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\EnterpriseN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Assignment_Operators.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Return.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DriverStore\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky309.inf_amd64_ja-jp_afbb421e3dc1cb6b\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\bthpan.inf_amd64_neutral_024281c0e4e954e2\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmkortx.inf_amd64_neutral_1975687236603184\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_script_blocks.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_neutral_ea1c8215e52777a6\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_Core_Commands.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\scsidev.inf_amd64_neutral_a7f5d9f34b621dca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremiumE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmrock4.inf_amd64_neutral_e45293c539584293\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_functions_advanced.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mtconfig.inf_amd64_neutral_4de24f49b5e60c45\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00d.inf_amd64_neutral_0600b2ba575729f4\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnlx008.inf_amd64_neutral_75545721835fd863\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usbcir.inf_amd64_neutral_379fb0c62496be6e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_CommonParameters.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\mdmcpv.inf_amd64_neutral_5667cca434e3a6b7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Parsing.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ja-JP\about_For.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\usb.inf_amd64_neutral_269d7150439b3372\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\es-ES\Licenses\eval\Ultimate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-DirectoryServices-ADAM-DL\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\de-DE\about_parameters.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_Return.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\XPSViewer\fr-FR\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_neutral_ae5de2e1bf2793c3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\001f\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\es-ES\about_remote_troubleshooting.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_script_internationalization.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_neutral_4b99fffee061ff26\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\rdpbus.inf_amd64_neutral_3b741ca76444b9c3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\InstallShield\setupdir\0007\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp005.inf_amd64_neutral_914d6c300207814f\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\about_remote_FAQ.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\it-IT\about_Signing.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\input.inf_amd64_neutral_8693053514b10ee9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netr7364.inf_amd64_neutral_68988e550e69a417\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\fr-FR\about_Continue.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ja-JP\Licenses\eval\HomePremiumN\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2660-0-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2660-8896-0x0000000000400000-0x000000000040C000-memory.dmp	upx
behavioral1/memory/2660-9119-0x0000000000400000-0x000000000040C000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationUp_SelectionSubpicture.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR13F.GIF	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\calendar.html	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Casual.gif	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\EXPLODE.WAV	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AppConfig.zip	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\default_thumb.jpg	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_disabled.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Java\jre7\lib\zi\SystemV\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\FreeCell\de-DE\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR8F.GIF	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\flyout.html	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pine_Lumber.jpg	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\1047x576black.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21534_.GIF	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21321_.GIF	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waxing-gibbous_partly-cloudy.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\144DPI\(144DPI)alertIcon.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Filters\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02134_.GIF	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_disabled.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\AdobeID.pdf	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Google\Update\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.Serialization\v4.0_4.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-class_ss.resources_31bf3856ad364e35_6.1.7600.16385_it-it_28edda75bec5c04e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_d911df4e81059b22\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..iprovider.resources_31bf3856ad364e35_6.1.7600.16385_de-de_2d711b631084234c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..5linqcomp.resources_31bf3856ad364e35_6.1.7601.17514_it-it_46e7f1f4bdaedd67\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_net1kx64.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2451d80ce52b4139\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-mulanttsvoiceenudsk_31bf3856ad364e35_6.1.7600.16385_none_75c520ccf1df00ca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-weather_31bf3856ad364e35_6.1.7600.16385_none_4db0b909695af8f9\undocked_gray_cloudy.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\UIAutomationClient\3.0.0.0__31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\500-13.htm	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ng-oleprn.resources_31bf3856ad364e35_6.1.7600.16385_it-it_9b84a779e457f3e5\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-checkers.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_8a2dc19c51d102b3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-wmi-stdprov-provider_31bf3856ad364e35_6.1.7600.16385_none_9a8350c7e0405c47\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..homebasic.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_6d67606a112afa9b\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-x..lugin-mui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_55a5838a25a5fe77\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\1.0.0.0_es_31bf3856ad364e35\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-media-mp3acm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_872be93eaa9f6a40\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_wpf-windowsbase_31bf3856ad364e35_6.1.7601.17514_none_597476cfa608388a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmgen.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_05a824ea7447f385\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-adm_31bf3856ad364e35_6.1.7600.16385_none_893d90cda53294d1\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_27fbee50ef7f6588\about_aliases.help.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-e..ingfaults.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cd71dff5a132d2ca\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_32\Microsoft.Office.InfoPath.Client.Internal.Host.Interop\14.0.0.0__71e9bce111e9429c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Resources.Writer\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-gadgets-calendar_31bf3856ad364e35_6.1.7600.16385_none_0dfaaaec65b0831b\curl.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-taskmgr.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d67dc559c08dab90\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-g..licymaker.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_fbc641931b6a7d77\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-notepadwin.resources_31bf3856ad364e35_6.1.7600.16385_it-it_81c88c3faef544a8\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-o..yle-specialoccasion_31bf3856ad364e35_6.1.7600.16385_none_01242a21ddccaf3b\SpecialNavigationRight_SelectionSubpicture.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Windows User Account Control.wav	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-v..c-usb-rpm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_143c71aed140e65e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-fdeploy.resources_31bf3856ad364e35_6.1.7600.16385_de-de_647fe89caea2a08e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..languages.resources_31bf3856ad364e35_6.1.7601.17514_zh-cn_70897adaf67ef72e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..g-cmdline.resources_31bf3856ad364e35_6.1.7600.16385_de-de_da3238e0b81f7561\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..sbinaries.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b87da52fa7e9b700\403-3.htm	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..-netlogon.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ba88bec7f5c72fd7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..simple-provider-tlb_31bf3856ad364e35_6.1.7600.16385_none_c675e5f221bf8d24\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-p..ooler-ppc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_874b0738fb71ce09\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks.resources\2.0.0.0_de_b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_mdmneuhs.inf_31bf3856ad364e35_6.1.7600.16385_none_22b2d74734caa1f7\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-rasctrs.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_55486069e967bd79\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-photosamples.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b502a62ac370cd05\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-n..-statusui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_43eea28fe31c4968\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-e..e-ehrecvr.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_2ceb4c3f8f31bd2e\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-video.resources_31bf3856ad364e35_6.1.7600.16385_it-it_7c8b1147a98de824\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..c-results.resources_31bf3856ad364e35_6.1.7601.17514_en-us_b334020d5d61f256\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ooler-core-localspl_31bf3856ad364e35_6.1.7601.17514_none_8e41636aa94da31c\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..omruntime.resources_31bf3856ad364e35_6.1.7600.16385_de-de_87d88cc81f420418\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_725857cf41f74c3f\setting_back.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-keyiso.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0a615764d5644890\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\fr\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-a..ompat-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_b9f38c8f575e0175\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-g..picturepuzzlegadget_31bf3856ad364e35_6.1.7600.16385_none_ce76f352fa54bd75\settings_left_disabled.png	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_amdsata.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_3ea4ad375858b344\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..confg-rll.resources_31bf3856ad364e35_6.1.7600.16385_es-es_60a91f8ca6165abb\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ntlanui2.resources_31bf3856ad364e35_6.1.7600.16385_it-it_cf881ed50c2b4148\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.1.7600.16385_none_ec90596b8cb45ecc\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msfs_31bf3856ad364e35_6.1.7600.16385_none_026531e2369d6d42\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ndis.resources_31bf3856ad364e35_6.1.7600.16385_de-de_291eb1dc1e8490a9\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-t..trolpanel.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_5ea8eb97e1637fb3\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
File created	C:\Windows\Web\Wallpaper\Nature\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.EnCiPhErEd\ = "XMETOVVOBKTPXKF"	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XMETOVVOBKTPXKF	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XMETOVVOBKTPXKF\ = "CRYPTED!"	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XMETOVVOBKTPXKF\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7VsEs5EZs7IxXFr.exe,0"	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XMETOVVOBKTPXKF\shell	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XMETOVVOBKTPXKF\shell\open	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\XMETOVVOBKTPXKF\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7VsEs5EZs7IxXFr.exe"	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XMETOVVOBKTPXKF\DefaultIcon	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\XMETOVVOBKTPXKF\shell\open\command	1def9a900a56445340184d0403357d4f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1def9a900a56445340184d0403357d4f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1def9a900a56445340184d0403357d4f_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\ÊÀÊ ÐÀÑØÈÔÐÎÂÀÒÜ ÔÀÉËÛ.txt

Filesize
282B

MD5
69a98ef655778f1cb3764a923acbae80

SHA1
22683321e95c9a631039d15fc49ac5d3e639ac54

SHA256
2ff127d5bc4c7333c8f522aa4b456684eca97c06d452bf7d00b6a99b49b11b0e

SHA512
610fc09f40124e1a74ff303ddd95ad5809679be9e0c381e5d367ecf8e1e137c3da188142de7a2c5fe2b1225e12482245f2b5c417d43d73618108bfb1c32a5ed2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_OFF.GIF

Filesize
341B

MD5
e83df9858a7b6450fee7e5fd651086ee

SHA1
8b565dcafa884595c50b94c47cf53639da4487a3

SHA256
486497011929892178622524fec43264b68d6503986fd881550ab33740276f9a

SHA512
b91e69ee57b45e94bcdd8410afb9c007283338002f3b7b5f262a90bd686d1e4750302d61448db08a09e5b61e03437e9457c52e1ff233608a0413eaeb5c40e683

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\TAB_ON.GIF

Filesize
222B

MD5
7507ff88d802ea66e8fe4d536e93e3ec

SHA1
238e038ac5c60905fd53804323652ba7689e0504

SHA256
bc6f999cfd925c347ed51b61c5866f899c2e869f51307476debb10a04df62ef6

SHA512
6092444e03c1228c5979cab13c1c4d717695e5a68d7e94382f948c929870db2e9a859cbc23abfa53a69c0e8e9efeb20ea103df5bdbaefb33cb8dbbb3f8ddcdcf

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\BG_ADOBE.GIF

Filesize
24KB

MD5
dc09fb735dc158db2537dd571d6ebcc7

SHA1
50565ff4229816d58c4f8cfc21d1058b81de193f

SHA256
ac1ea29f5d6756bef8403cddd63f2e7948fc215a7a5d57e2a665279f8a86db20

SHA512
72b4704d913b8abe846a05cb1ebef713ddb55dfb90248c5cbce8938ca1e5b642b20997c0f47aa199db87fe83f8a488b996a67cdd8c3f685be25f505a1d9236ef

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\BUTTON.GIF

Filesize
185B

MD5
72e2ff35b005f5aaa575a081711323be

SHA1
99e527c4e07345f2bf81cb5aeaa35656a976b3ac

SHA256
962204cffcbab11c49eff31d1f9d57e0419370be235f1f51595b88eb3fb6e1b3

SHA512
d12b509a8ee18a782b6bdc47527853dfdf27a9de5e4b797950da0eee915af6ead11d7f6b3d5d3f90382c67ded4ea5c8492de017d4ea1b27d2bf9f2f03a66faa4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_OFF.GIF

Filesize
496B

MD5
2ea88970eba0ca2e5aa74b119f2a166b

SHA1
b87370ccd0d3b9c633b9ad9b0cc755b0e01ab78b

SHA256
7cae04463a98c4aa4aacb79afb22815cc360b27fe630c465c1737682ba4fa230

SHA512
5d15352bb2fff91ffc1ea4ad9e8850528b6f9e118717e9f39ce1b0b2c3d18e4183f6511c1821e36034ca0bc1f33a2a832f6e19eef0a4d9fc6ca50fb4fbf3f8ab

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\TAB_ON.GIF

Filesize
1KB

MD5
e1f40bf606a6043d1b72d05bbd29506c

SHA1
a242d31eafbdafdba4dfee9551c2f23454a53e51

SHA256
c16407532309461e9aeb9720cb95dc2f66d542db22e1cfaab8cf7801cda8e759

SHA512
dc9555f3052c3f8750f4cbcdeb713bd3554ccd2df21461151c1e466d6bd875a64bfd7a170d482c1923b42ea8b05e2a452d455af60434600d06ad2186177cf5dc

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_off.gif

Filesize
341B

MD5
eb0eb34848538c0e1452ca80fe46eb2f

SHA1
8bb06f1fb650be05094e8a31feebedb196b6af9d

SHA256
e3657b981e77997c6ab21190cf4be564677765b095bb3cc25628f78a56cba912

SHA512
dc1f78f408ac14c1b00df689e715828b416759d44c6557ea5f1806bd5b8c05fc6c4d5d1d1d90b52860e899fbab979f537b589e407620935af7286ffd9643749d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\tab_on.gif

Filesize
222B

MD5
da1e33e3597106814d8d4361654117c3

SHA1
2b94f40bfc685e074a3b647f79442a04d38b53a2

SHA256
8a47b05697a18206d200f77416957bc75c463cc25ea647b21e4c8a4e1aa3cb17

SHA512
6f90480e04bd95dad7d417d9498d60ecdaa732d45c0de164c0198a9e475300b0c01088f03bbcbf911cf3548589554832c588b15b077e2a6da6c84f1b9de42760

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Casual.gif

Filesize
5KB

MD5
938443abb020550106b6a949c021d052

SHA1
9bee7c051022c08f1e4a38115afc902a9e42c35f

SHA256
67ec6617a0780cf46aea2b88754d02b7349cbf0b6431e8c62fa052c0938c1f37

SHA512
68a954ff213f0c6247d93ffa91f6a190eed204063d09cfcf07ed3e3b5f42c88230ba9e5265fcf5ced4f1f9d48f2ce954538f94db8582458d55682d7f1aff1ffb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Country.gif

Filesize
31KB

MD5
785e12dd4e616930273aa423df5c489b

SHA1
81de4e7d8804c8771d7f7d31cff7f0f434285743

SHA256
1f32b4fe56b10616560d693624a827d3dbaa91ecde2d7549b339f62410f146d9

SHA512
642ac3e5c63f3a46a402e6cacfc09dfb4aeade0bb325c8cc941e931f092d94a5991031eddff90229822b1b1c18818a02d0d58737fc649e3706df7ebd1a44cd26

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif

Filesize
4KB

MD5
24d5bb37e2a12dec9ff379bd565b3312

SHA1
968d4897ed4d13eaf8ca0f30c20414defa96f0d3

SHA256
f65d4ffb1a0b38bd34f3b4d1351374af199ad59eb942efd202106f78053a1ec3

SHA512
3cb7aafa79d0730722dad19fa28bf7a81d69e05208cdfe10b6442ce775caec7a4a4a1f759b88f1d2da748cc20f17cc100b1904d13f19d2badc34b3db28231e56

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_GreenTea.gif

Filesize
21KB

MD5
58ca66be87764c8768aaaae7be82fdff

SHA1
f9ac0fae7d229fdb5f8de036b5def4a51a08fb38

SHA256
4c5ee94ce4893725adc263f55cada1a640b56f06dd4373328db4592a1e9d8b9b

SHA512
305bfc03cd8243a58670e00fa0c6c73854b168e7b274d43b7ac0d00f600cae183e51cf002fc0e3feb45a8e997b39cac3f6c58379b73bfe1f6e78d4eaf49cb449

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Groove.gif

Filesize
106B

MD5
1fd8e8927b2fe8f17a821d20f8d3b20a

SHA1
20d28dbdcae8bf0d8203e0447621fdebeb01d2dc

SHA256
09ec785d53a3879d405156af29b0785d9b7568d8676d68ad4cfac50a17031246

SHA512
ddb5f7e1312db8b202bdb1128c55117cff5801f289b1d411027018ed5b84769b9ada8bf8205606938fd07e540fa49e1f2dab9827c8a0d29c2e9ccbbb3d902b6a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif

Filesize
8KB

MD5
3c3b9ca6e3dced11bb64b20c0c9ac1d3

SHA1
208a2e9c22402cd252b806f52c6944473af77003

SHA256
78f436618957a3ffae7b907950a7e54095c95b38d2e3126a0ef80cb74c3af734

SHA512
bb7b7f408f0fa399163064b18d1cbc39331c8567bec853beef58c0b600a164fcf6386d12bf0cfdd2a427323b03fe100339c614910d041be467f31d1bef2601c9

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_OliveGreen.gif

Filesize
15KB

MD5
4536e8c494b81802198cf62c70a5899b

SHA1
a38cc982679d94ba8436fa2a347510d5170d19db

SHA256
aad5db49f1a15b62844eb66b2dba325d5c6e0394f532aa76b0e651e4fdcee94a

SHA512
2159b3c263fc144517d36838e7e25396c939ad73f8c1024af244ef25e77468415a728382cf445a74025d7fa37fcd7796d732f8f914973fc280c96783de9996b6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Premium.gif

Filesize
6KB

MD5
e5a0e315f1599eefc069c68948c30844

SHA1
0bd4d684c65922a31da4c3ed6f0a82e70da47786

SHA256
5598f1c444a41d37a7318392b976eeab76d667aed2b2783569cda82d7b0673d8

SHA512
8b12f7f0e6543a7b6cf00eafff1682b63e6a5403eea43bc367a576c8af702b82470df1881662353210f55d1fc51cc1ba8e1c5bebbc177dae20cdefcf1ef5c992

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_SlateBlue.gif

Filesize
20KB

MD5
c21da4118fc04f4727bb83c707984696

SHA1
21abd11af131e23193ec489f72652f9071c6cbc3

SHA256
8c4ce63395b0c1492206919259b3f971765cb2943b952c2b8c4d3053f4d9d089

SHA512
2bde27e7ad20574b2fc2ea8b0cacbe9534bdc27540b64ea47ea963e467f43ef1b4ee589af9016de31a044ba43250637395c5acd6030a38a60a4ded68a62e0ebe

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_TexturedBlue.gif

Filesize
6KB

MD5
96eabba702befeb6580b27016fb78dc0

SHA1
23133b21bbe3bae0cc3fc62d66a591bd7c8dc4f1

SHA256
92fd43903bd12d05fbc00b2a3e1768e628651b8fdb2c99d9cf7d0a4a6dd2d5fc

SHA512
63cf8779dd47063d6f92ec6e922bd0568f786396e7d489e2a734801e4aff39c58daec19d803ee11f40397fc157a424f2fa740d4a8f4a900c2ff23dd905c678fb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_VelvetRose.gif

Filesize
15KB

MD5
6e83446f2015b5739e87371a87ba3b26

SHA1
ba6ee5a3d5240c03d050a0de87a4a40817e40313

SHA256
cbb2ebbdca3707dc958bbfd3084a4c7ed364ef0e5b093f3f69d639792c25623b

SHA512
34316199cbcf34571a7e782a96460bca154bcb76b9f269c2db6ef2051c6e1dd1f42d25886bb6826b0ba803a262ad8a6a9ea5d67c22a1a56a729bb1390a207900

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg

Filesize
2KB

MD5
2a0cc5cfb6b4d1c66043635ad979694f

SHA1
a0566d2aa82723869af97811eb6ad6feb732c4e9

SHA256
63897ace515e450e859043624f476775928c904df81d335b7757a529d38d034a

SHA512
06ac06e33270c6b63950793112aa99521262d39709e742d5bbf05a277aec4265a87118cd946f7adc041ca2cf8d488b5b212b529b12ee880baf4014fb8eb1c11a

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp

Filesize
2KB

MD5
e0a06ca26232ea85a95c192e41e4724f

SHA1
f457ec2bfa1a49771c493c0a00ad72e9d1f1558d

SHA256
8766fe651111d9a7dd589d36a14e7f9759b296ff49d05b7b06376cc17703cf75

SHA512
b0d086b27d8ec04c0db3b5ab8dede2a94f55647de5ab166f43e1dcf3ffcd82b767e53f9c50896da9c249070c1421cfcb4fe98be7d51b531d35b1cc75e0b26424

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg

Filesize
6KB

MD5
9d8380795776aaa333543ba1b37b5c14

SHA1
24fb7ca57c0af894c339f4324d783e5fdbd101bd

SHA256
553abc57a7c31eeaf9aa68536dc72ab71735e12d750bb846d3c4cfb807ef04d1

SHA512
a71e120ee3fe1f682ae19e3d380b10ac34a5da52c03205e4e24b586c301547d7980fdcbbee7136d2be42b9cab3313a037da6bf44224cde39031a381ad04384a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\HEADER.GIF

Filesize
255B

MD5
bef2f1e841a9ebca72c4f46eb97ec1b8

SHA1
950312bff5851a2cd96169d73f43637890194db3

SHA256
3d8044c692b7fbf56717b450a7468b95065dc69d9175650dbf53de5cf2e5bd17

SHA512
9b32fae66bc272e1f2763d6d2f777d53b256a97671c45ee91cd68304a86cc66e184d1bf0891670d8d686cc0ca008df87b729cb87c92d3060296d2b5567c44365

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\background.gif

Filesize
323B

MD5
6d7e36b43175a327d80ccd4fc469ff45

SHA1
8e507af6ee4384e87b49c2477604bb6e50d3525e

SHA256
0c24e6668d3e953dfa9c6769d38533c4d0796d44646a00e636df51d7fc77f2ca

SHA512
fa3b5b2a564b7de39c940b2d9196aeffd8de15467037473665861c891dd399af15ee64617caa847059b3d95034ade54ddaddfc9983238e1b1775da97cf7079a6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\HEADER.GIF

Filesize
367B

MD5
bf48cddb030d9439f392262ece8d9356

SHA1
ca977ee41453dec81c81207efbebe75917792bf4

SHA256
6dfa8d99f9f2549fa4ad093c280d6f53eda4645430b9b8f2f9843b2f7f2d99b6

SHA512
03a17616f64809b153c1a5c2f64e2fa027b02e9444a24fac8b93bb3d6061ece7e8d9c0361d2fe9fd860439f2681ce6ba2c37f663a3ddb25a6ba39e06ed996980

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\HEADER.GIF

Filesize
148B

MD5
f64a7006f78402a731f936ca4d54cc92

SHA1
12e4a03ad9990ee499db1437f44c96f0bd790ddb

SHA256
bf87b120c0bed7cc81c3c2786b1709902599c4e78df136ba0a5f2f9feb098eb0

SHA512
618a6f280760c6a687b18cf456d1a8e584dcfc54c2e82f13845d421f61c8ba312c09261e149cdb302cc2ccccf9a2897b2442d13f315478c39a82dc6dce291ec4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\HEADER.GIF

Filesize
440B

MD5
129293d047636b868a0beea0083859b1

SHA1
feae29396957f82acb53ff7826a840ec5c16a8e6

SHA256
47f4c153be3bce628d65a5f46cba01e6409eaf11003ebcaf8b0885b6bcd553c3

SHA512
03877a0c8efe018f889d4dbbf160f9848f67893feafd9e53a350ffa41a4a0c5e48efaff92c4c09a4320a8ea57f50d11ef0afa51bfe066bb7d0ac396768772ca8

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_OFF.GIF

Filesize
462B

MD5
101db561b565f9479d65c8f5b0ed78ae

SHA1
9af1eaa2aaac9c48b4cb980271dddb77d139906b

SHA256
d1430071de2999ff927b1358ab27a72ae436868101d9789d1c15e95546b03ef3

SHA512
9104c22211b6c8a62cad3ff881f724ae089bc8f0549ad7483fd985c1b43ffb636e0ad590e6e81ab057c2391dfabc3c52b523dae9038ee84448e3f5029ce2ef99

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\TAB_ON.GIF

Filesize
267B

MD5
8d63952d9e390ecbc1b9e8d2a00e4d25

SHA1
21b39927e87c636a210f64a3b0819b84879424ca

SHA256
15ecf7919b478d9d59ecda108d0bc12820e0dff7db64083135085d337cc42619

SHA512
48329d0302f899bc18eb137e0707df9f612cd3590e83a93eafe4737001db49885434fc2aba13fee2180b87c2afd89e86e61b9af31a5a0cfa4c10cbed3018c654

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF

Filesize
2KB

MD5
7d33988273356c34970fd153971620a9

SHA1
7cf0f29de83c7656d30a62e3564acb1421b8a9ea

SHA256
e887c75dd08539946c645b35aa44dfc81c082bfb8de979aea7cb1ca8a39c3152

SHA512
84b80dc835693cfccddd409a52769e33bb9e2fbe8644508157a2c01cfe42dd2e5ffaa502acf12bfa7f6cface745fda048aba43e61936acb6198b0f4da5c44060

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif

Filesize
233B

MD5
d36715f6d1922f5c053cb2529fe7f7ab

SHA1
e0236efecc4fcf3d3ec84131ef2ecb8fcf960111

SHA256
f080524711a14f94502014a099a3c67b4911f8bd1594cb1216e566848c2811df

SHA512
b43aaf48baabc5b537adee7ed48c8d195c8408dd2242873d8d87e9b7aaf35b052388278e6b5479bce87b5d0a04f6a76513910016a82f7dfc12db85110388dc3b

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_OFF.GIF

Filesize
364B

MD5
971d14664e40a068f4cd17a26ce58fb6

SHA1
acec00a582dd55a2dc9e5d21b9b4f3ce4924897a

SHA256
81909bb774491660b865e23e4c5b06082d85e1ccb5dd027f75bfd962fb506c0e

SHA512
6bf179232a29bbe9123a2ec1939f9e00ef543cda487cc9ce342fdfdd631a426af4479a607d255a28d02b25a32eefc69dc27a1fbbf65063d82cce65b751bfa054

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Slate\TAB_ON.GIF

Filesize
364B

MD5
04c5eee9cc0eed7b1d9116f8629aafdf

SHA1
fe82453354f43e1945a00bccd49a92567452c5b0

SHA256
7554f3f9b97a7df9dca01d74098348dd7af9b44dc1e2e7ecae9112ca9e3c7522

SHA512
c7bf7140cac164f80616efc50b8c74b52504ebeb3fbc8925dc66e4227a92c44cb289c8da902e29f2833c4d782e81c921dc6b1f2dde92fb3bbeb5dd2d39cfa616

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\background.gif

Filesize
6KB

MD5
0b1ecdb79d2f7ef9f9965498ceff3e09

SHA1
5b6ae423d12940a6739a50f118b4a15c42a956b0

SHA256
efcf75de87957c8e9df21b0f98c15dc60020f3d2f7898b850b34436e51e62b95

SHA512
6193db17a82f1635403e93bffcff2821e576bc0d722dc09c94708bbf50e79d2020eae8c383fd18a7885dd66405bb57a83d3b76b0de1fbb055b2d6f25b2740b3e

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\BUTTON.GIF

Filesize
428B

MD5
294025448f15408201fb72ea374ee844

SHA1
26a0e81a7ec63beef6f36134483d9535718f48b7

SHA256
49bf3cb5536d79dc24c3a5b07cee0d4cd8037a335d0ae9172c0ce5f5b678f2a0

SHA512
58b6008d25be9a818c6a07d6b0301a78a98dca4cf6e88c932da07ffe62f3f86a046010ced7235e0af34f0e1d6360258e84c97f023ed8fb5f3a3a3d109242b9f0

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\background.gif

Filesize
815B

MD5
a9cf7b9f2f92669fad82fa220685448e

SHA1
5388a0f50e89d36b48bb1bee0a63a57a8994a3bd

SHA256
e7ec1bbe2020f0ae29a38a2a0ea80487153c4a8c5d17b4d10351222e9f1c6dff

SHA512
c3c0a438502e43af629418a356a6b27585adf5dac619ff80b4b376670cdb3e51946990d8466d481e67c959dd19a500dccd3bf3e7f0579dcef265e0accf9f5648

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\RTF_BOLD.GIF

Filesize
870B

MD5
5057f08e3701b077ec4f802a5a35a8f9

SHA1
7cbb5515cdc6bfd4d03d452a93922783c3c14e6b

SHA256
03a8d1b3db4af414af69a75a00f254a57805a7780f43688cb42f39476a4b6fe3

SHA512
44cf502fff4f690a0220fa312b56ea009d39b95ca07ef7a5fa4f070e9038b35a95c6ec16264a2c321d744f3e01d8fbc751236ec078ddd28f78c360767fc9de43

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg

Filesize
3KB

MD5
515c024276105e23d140494707fa5262

SHA1
7eafc02ed2ce786d96fa03b2424cf4e2d9ffd7e2

SHA256
4dd48c40647b352932ac741a090c7403bbca1ddf381529a198256e9785592785

SHA512
b6620146dace9637793013508f39fd4883c70e8fd6cc4a691e3660cf146b41d68afd5d595d8a6729742ffbc4fc6b7766ee474e4dcc9e416d0df32ccdaf4342d2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif

Filesize
2KB

MD5
8d0f3b32a29904ed4f1cab61ee699cff

SHA1
9cd41bfa43a7d7a45b1e7c184029450f0435bdd9

SHA256
5799a2a27165eaeb8de1f15b18c6ed4ff8351beb3ff76db5777e63079943a0be

SHA512
3950626623f37828da61f648242ceb45d7f988c761234ff2c152dedda5e41f79cc6e49b8d17e9fa09bb5b8c4d01f3d26b5bd793a530d35a6b2b1aede4fa7ffeb

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_FormsHomePageBlank.gif

Filesize
19KB

MD5
d38eb02f90044811f43488c0b9ebde9a

SHA1
0805d78f33697ff59956d66cb3a0686cf22795d3

SHA256
0dc67c8aeaf9b46ca67663570818dd1ede28afdc925d3fa7e2d34ee6f3395408

SHA512
f2219501e775dad5edb689076d11c1b64a7cc056ba8325d1f8d7c62a9d3702977c7129587f5a441fa7dc825addd8118c46d8383c40311b3bffaef5c8287338f3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosefont.gif

Filesize
890B

MD5
450fcb1b0c203719ee91b614828b03a0

SHA1
82d4653aadacaceda04a7e467f1d68cd5242f190

SHA256
978c857391fb9bee0ee12a8f385d44ce0a08dc2f9df8a64979b1a46efa4c5968

SHA512
d5eaf6e3e40bc6e1d693f50e82ea9a50fb2adf3aa37e352e99ddbfd6b01e7794e9d81c310cb73157cdea16836493200861f7789b0e9b15938a68d80fd2c95920

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif

Filesize
852B

MD5
863cbefd37927c5a96568ec94f259772

SHA1
34314169872acad433e20bae2349077d4d3b1172

SHA256
ea53305f496c56775c157b3ef90d69651fcd9c213e131d3689b606bc30732848

SHA512
188d11c3a9dd86d8d7aaabf5bb71e57f4f9e4d0cff9defd29732ab1a920173410842e6de336d2334b098466a6b70ff964bdc6f915f1a5bbfaa2c2c547fd04cf4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif

Filesize
860B

MD5
f7e05e91d3c3b9c16c9295bcd12a56e5

SHA1
176e92b831b49217dd356ca01bceaa4565681fdb

SHA256
a9eb324fd32806ebf7708bf16ece716032173ed0e1274c09412a4290f9766402

SHA512
915cb94b21da4500308e8cf3b16a0fa1ca2a1b22b5e50f4c6ae5fe80514b2e7822b5378604aff71c0956a3e3656f4471a4b157e6c10c9e2b530ed1c772c9ce53

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ADD.GIF

Filesize
580B

MD5
badd4dae87763948c970a4c603e73f19

SHA1
dca2cd5896b1e4d7b6b6efad2333219467c503bb

SHA256
567f599e17247568f8f757516e7afcc157191b87df44781264f2cdc0015c4f71

SHA512
cd1c18f3844a71d0c5fe62cfaa110499f2e59382cdcf30b410ef4667becb26a0898a1cc21578a5f4eea5b33ee3f0dca64077e03831b6aefa7eb14d8b09bbf8a2

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\CALENDAR.GIF

Filesize
899B

MD5
3ed8a9506749e2c62ee2905f87b959ae

SHA1
e489ec6d4e0546a9e1449175428d463de07ae474

SHA256
9767c4fee1ecc88e534494250d34c42d5cfdeb1d3341e1d66499cae488882e3a

SHA512
3092e4fb791e64bc8eb27c2cfd5813bda3238465175a388af9c0691baf4d70c2896c426d464a774b8c57a433c374137beea3c9bb3cf15ddecea23f869e3b38d4

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\DELETE.GIF

Filesize
625B

MD5
32cc5e5b328d19fe6e8bb700b024e353

SHA1
64eaa9f1b958a48c1c085828518cb226ced7eaab

SHA256
78d2c95b2c8f0e7b14d39e35d4a7dc3be0388082617d113f9694d563805d6091

SHA512
3e433827ba81de46e453cb4b95f0e46f0f4a4c365f2a5b9bc24e4885108f83d48b70629e607e0fe3b1ce7f7b48f9a69df3cfbd7b52a4e29dfb5d3834f6350aea

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\ERROR.GIF

Filesize
873B

MD5
e265ffb059b5d4b5e56f160abe816bb1

SHA1
2b1661a0090cfdfeec465d7200201821b1994d42

SHA256
f0d4ae4eabddb12f1fe64947b5e9f4379c7a613f36f83c5a5dd3a0b64bc60309

SHA512
e3e39bb248918473daaf3ede150ed5088af728afa727c58baebacf1d03e29560a6ded444f7e43c2db42c93233e8076bf42d164463c7d454cd5f02f796668efcd

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg

Filesize
5KB

MD5
9557bc1f04a45326c03368dc836d6042

SHA1
86173c36a2cf40b11d5e8098c51f110526f7336f

SHA256
2e141c1d00dc85fe8e7bec2457efaeb0a649530ddc172d8e47d9ac087d5afe16

SHA512
228885f993686c02728a3d8caf41ad2a168507f67f41b2f921bc6252078636c978f731f0c238debc0c6e16a992431e4613907023d53cde405c61e9c9eb9a113d

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp

Filesize
1KB

MD5
ceb846233656b17730ccc4b5b6ae7107

SHA1
4b53872c97a89fe233c9b8b6a9a78d4903ee5500

SHA256
a2eabbf78cf3e9fc883a8be0a4fec4182b53920baa6f320f5da90d9e9bd33e25

SHA512
6caf13ad923bf928ee4d514f02da8cec8f4b2439cf297c06f46ae3a9a394719d6afcfe48e7e520cf4970c815baf9433829c9718e6af446ec91e1f182f50bd7b3

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\LAUNCH.GIF

Filesize
615B

MD5
32339fcf6bed5c24a5709726dec43ffa

SHA1
9a70b4657bbd7fac23fcba87f9c5d7fcabbdcd0b

SHA256
2553795cc9471d77573f7a0145ec7445502e089242e8a54aab56830c2ce28bfe

SHA512
40d847be510bbd3d434d05181ab77976ece103bf241a91a7450e23162765ac916c7d36e5dbb2fd3ae6c7d10cbc431bafbca5d9e48d7034d51baf84914076a157

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif

Filesize
848B

MD5
73b24ec1a5e0853adcd314bfab490917

SHA1
cd49e429ab4cf5b16079c16e04e61f5d8aeee8d5

SHA256
d57621767d5d5d8af04a3b069a9bc34fbc0809d1a443f734602f54adef2a5848

SHA512
fad5f6db2c0c8bc9de854accf87278824b2d2e30e1b17b05433ab4045c3eb14f37adbe2516e39114f65eaf7dfa253ff77ade7273df7aae240b73ef1f8114d5b7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignright.gif

Filesize
847B

MD5
03ef8740c3e636ffb89facdc27e7db7c

SHA1
de79f5f79aedd247009216abaa553cb72cf6b299

SHA256
08da754fdd0709d0b034648cad3cd67613a9131a8bc3b7e68b8cb568fc1a759a

SHA512
d2ddfff64079bdfbe17c4aeb4612c39c00b4299670383fcfd3d710e6be97756b199b548673576eef901cda5aaa8e8a971b2223b1d76798f356c648ba65d0f578

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_bullets.gif

Filesize
869B

MD5
fd1f09342ff2d1e0c73d94af2482b28b

SHA1
fc9548c04df31c846493fbf09410878d8764d19c

SHA256
1085c7b049f1a19b44a4f4d1f4450925783c1a187955b82c5696af28d8719498

SHA512
856b3630083307832f8f621224920b5700831fb3b844823934c221afcb711be2e3d52056e4e509fada536bead48c7bc47d2bbe2e2bc40af4fa1ef6c306a7a5a7

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_center.gif

Filesize
847B

MD5
e207d7a225a9d7053dcd9cb6c69b65de

SHA1
4b67c03ac95d6dbb56cd6ee58ae0a9e2d7a99076

SHA256
c30bb614b0a569d686c0b75d656fd825a12b2a52f7d162e7ad6f4a8d3f051a71

SHA512
fafc944fe4bf5a93150b0b6c718f516f9202c633eed7d4255cb8ef1626585d333df1f0a12d75c0a6087b75bee5b7a543ae7f0d9e1677ae6778688dc64e967864

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif

Filesize
863B

MD5
823b394f50427750636ef1d432ffcfe8

SHA1
3be8f6512786a6db307b2619a306d1c096d23a61

SHA256
2d980632d2316a068e3a3e6df8a50a48c756e4574f9ebd3baa0e9b6e5fc5cb24

SHA512
9affd60291c62d6defa411d901385b6fe76f42f8a2a0756c38350bb257396739adc0c028a2aad7a497a6c7a0cb431b70aaef9b7fd6dc73d00a75cfef8e594c76

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_increaseindent.gif

Filesize
861B

MD5
765a9e7b2fd450f46858abcb4f091f58

SHA1
71c600b279653fe7a13fb11289e3229d49363064

SHA256
b7e3da519ca582ee93bf12f448b57f5e45ebeeb15f0a99b6b9a70d74a5043493

SHA512
412b4a8a42784a62fd7041725563b61186b1e17d89bdd5c013505ba2435147fad184f5fca389a4d703ea790112eebb74147087fb99a5507306662feff2f48460

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_justify.gif

Filesize
850B

MD5
fb2b87b58c823e408ec641ba3b626159

SHA1
431b4747f50c963409c089c511c7d0ba3e6dfee1

SHA256
2b1a258f943737ceeee57bd00caf68781fe9bd7e2cea488beb6e38614b5df26d

SHA512
cf280bdd72c2e42512761ffb2b27d8fa8aeb01e67be401b3bcf2c9c7b70af918d8b090ae42622b53369cf3f3162f9dd918dc3dab51a3c2bdc16952440d45fdb6

Download Submit
C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_pressed.gif

Filesize
883B

MD5
2278a3d1fc883bc3a3e6fa662ae55341

SHA1
db2fd5eae007c143f1885c781885fecf1909061f

SHA256
55a5f691e332f0cb36653fd149866224f04358987b101d648a2bb496633da51c

SHA512
b6a35f420fae68976ad253db2ef98d1228137c9257acb8e99323f3633762c2e1fdaceea38e8c3d474b37e7f9c4502b71984765114513d42c937fda065eefb567

Download Submit
C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
153B

MD5
6387701fbe1898c05075a93730b640dc

SHA1
f26a214d2728ef18f1b8121ebd0200bd13104137

SHA256
e06b94455815843a9edf0a86e586ded641800b97d8f2449d663984fba32def6c

SHA512
eb447b88454903e1a5f822fe9a0a8b432e362ce01a1a415adeda6957a5b6f62a231ec045b5f0ad6ec254476b01bd18cdc857e74c2e462ca72968b27d34ca3c6b

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
2535eaafed7a3467a912fe3852d97bd9

SHA1
9b006486411e3828e049aa83da0f19c141864b84

SHA256
7556b0ea9adaae8cec8cddc597a7e7b388f4647e92ecb274ba76addde6ecfa1c

SHA512
ffba700d597aea94bb43d5e45d415eabc21acecaa111f5618af506f736d780228c3da5f6a0d6a327f606c64ddda29718baec160756c3466735c24b3e2a1dd9b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
1032e89ce3bb818e8b10d490b748e092

SHA1
6bf07bdbdc485302a1dc523bfebfcff6d8c361b3

SHA256
e26c260eea800a8217e2dae3e63cdd1235d0844da004f98b9b0e735cc97d5802

SHA512
a088b54d29f1de7de874d854cb8046f287dc35ece5d429364acaef07c5faeeb17983ecaa732a0a7b391be554cbaa2b2d47a9b27d6ff165263943bcfb0defee51

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
26acab803741d160be2dcd4933b056a8

SHA1
c4f51fd864f59b17659876f3da4862a88a0ca5f3

SHA256
96828ff55eecdd657fb4a01da7493b24b36f33a0fcbba9b9b3e90fb7029f8774

SHA512
d94b9686286702d4b7697ff31a91bed17b58c21f96c998783f10e9bf008ee1843ac6c2663f1b763b3c178231da8a2a277f8e7b3c1c87949261dc2d4da40ea3bb

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
41f62e4452c62afa0451bd8f6e54a302

SHA1
f59b14a19a2788ff6eb6866c1d9939f83c4a7200

SHA256
26664d2bb87eed5e341af0746e9a8ac094baea622e1a31a9819aa2f3ac7568bc

SHA512
5f3a687aca1bf7c16835215f15f889791714f001c769139cd475d5575221e56132eadfc5bdd76a66a8e4a13fc3ad2a60d9d1ce8db71a6045d8635c379f0d688a

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
172KB

MD5
a62932faae12e376b67ffbbbf83b7f52

SHA1
b0b8ce8ce335714eb07a3734bfdb843eb945e897

SHA256
d9d5d7284c33200efaae9ea642dee19241ce8e60ff0b32f271d84b93de6f2711

SHA512
12dabab6a65dbb646d33aa4ca24c318b1f146ca7aa92ae8d74f2c988935a9e79061e506f32ba0e3c4587ff6c126f1deffba0a8365f979654dcf65203cb8af274

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Windows Explorer.lnk

Filesize
1KB

MD5
ea902bcf0038e292241cd099647b7f25

SHA1
8009e64ea48d1cbd976fc9ef735cbe6c43c0e57e

SHA256
fbf642c295af59989eefb54aafa28dcdc4b9c3152676ff98226039ace7d3aca7

SHA512
6b2aeb186ad3af52e969348767bec099e61e21fe4fd334af2cdf8f173f34a441810f4abd1ab0f4deb2583a4272c6f12d84a6567ec53b0cbe0f13f383fc3c0521

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\ASPdotNET_logo.jpg

Filesize
21KB

MD5
d1ce16e75fcab34a2faebc900607d3d3

SHA1
9e0b28f2a0e835f2d0b543c21514da0cec4c81c4

SHA256
fe38cd5159ee073790dc8d05db2c967a7c5889faf95e50955e240cd5635be466

SHA512
387bdba89d8c677c842a403af408430bf34e50e106af7049311c075f0c0794e52b641c73d5d1ad696c311267c078e7347e8a96da6d0f7a70991589b3578c422d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\HelpIcon_solid.gif

Filesize
1KB

MD5
d07eb0e7262036f19b47fa613e316676

SHA1
9107a63e473e17135219740cd892314096602990

SHA256
463223dd53547e73d7f09aed6f9b60cfa673374e124ca04d81429d6554116778

SHA512
dcf3bd198ac537bb38d8556e55a5fa7e0d93f0c1dfcdc510d5c48f0a4be633f0fd1ff3d3f8a18913656c158212a15c8b8d6606eba47c6c1bb900f092b22045ac

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\alert_lrg.gif

Filesize
952B

MD5
8f79d1e35ce5cfc14fd391c03ea15e97

SHA1
f24142c6ec6935e41fd92e7a15d22b08245106f3

SHA256
c4e5473cb713441511e5efb2698d80fa7b2c2d81a2a0dde01cf7db6cf1d12b40

SHA512
553b446e6fb9a11bee9dc97b9864901745d13c287a2f4d3a87cea0060d0cf55dafc89d7f04402b8cd90e0142276048d690f9e74749e1b77e0e3cde75b59b6195

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\aspx_file.gif

Filesize
121B

MD5
12ea42738126795963bc7aa7b3383d78

SHA1
66b2363ade09ddb58c4054b714c84a2a7195d6b7

SHA256
1562cc360f0c333cf3eccf51f54aa64f1393af43d337d61bc0401dbd1803c860

SHA512
96162a9dc84d5775150d1432f3103644d321e35b82a747a04fa38e901c41ce28df66e9e62e9eaffe7c6c5675abdee6c44dbd3d54e53a08a819fbd21709545074

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\branding_Full2.gif

Filesize
1KB

MD5
86977fa5d3038115ab6de011f6a0a992

SHA1
a9d15953fdc53042f82237e89c9f976efed7b58f

SHA256
d6af938f6184bb8593dde6a710d5c56e49616f26f2c6d546d6034ff149bab235

SHA512
cdcacc596538d39fb0a9e28fe03a4777d4d63501325fdbc0505cd959579dfc2011cbe4fde170873c1aec4e0f432b464a95f4c34200450de3b8d119869ffe0b2c

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\darkBlue_GRAD.jpg

Filesize
8KB

MD5
7ce6f821f89acc23fbbcd026a82074d4

SHA1
57e888eaaafb0500177c2d16fb64a06808cc959e

SHA256
eee27afc6da772df868b9045d918d1854f6fe4149ff8073eaabb5fe872132088

SHA512
818c4b0db894aebd4f952a138e05842ca8ad13b294e3f9a3cd1066f2f87bb2fc9b72161a46dc22a66e4dc67dd852f55686a5412d281dde8593f10b391c9e93d9

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\folder.gif

Filesize
914B

MD5
f51e69d46729469a8a31e24aeabde7bc

SHA1
a6abcada61589235ff3534a14afcfa5076e7ccfb

SHA256
3701f17832ff3ecf2f6c55b51d19e2725cd992236bf73f2acef79b928207b10c

SHA512
8ac5dbe51cc51b3acb058089bcbf8d3e254a51c74c3c15936cfffed191ec97d908f795214ce9956c6411f08a1e8b7dd492337ad6e1c3e8361ae9e921e5cfd6d6

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onBlue.gif

Filesize
90B

MD5
55ffce0b5cb2b2b7083d8b3105dbc306

SHA1
6a017e807138d3f490ad11c5dc3c88431225fcd9

SHA256
740529b1e69b8919404ef1e344cab0ccae2743fa6525ed7449c6cc01d67f8340

SHA512
c1e5c0fc197f409047ad0b7e0349962256bf8224a154d1f1926187f6237fa1cde8b9adc8d8c642f064a0afe734c4d9055ab933712ff185c7feb4026422932c83

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\gradient_onWhite.gif

Filesize
90B

MD5
bdf66f52493bc4b807458fae81e5f580

SHA1
7fd249a9b9c53dcdc058a663d604b9788da3a8bf

SHA256
e99a8f816dfb5e75742ab50e92f91aa62c831bdde6ec8798f4cfeadb4141726d

SHA512
49fe52dc12b0e4b6b3a57aefe0992accffea8700c9c6a28bd899211406bb560f2428ceebbbb0f30fa824de4938f836335723f36e21d5c3a18501dc6c67026858

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\headerGRADIENT_Tall.gif

Filesize
328B

MD5
bec22784013741d009e4ecc61aaa304b

SHA1
94982f3bb8d7652a03c4f96427456a819376929b

SHA256
1ed8899c0a352eea3083645e093d4e3a94a9e8af51209b538e3caa4f4449c754

SHA512
829b55f5b4841b883f40bb4cd738f1a021673109164b44571215f930290446c9ca854ffb7ec268363091650d8f75eec65864c184ddfa5e16be3d244929b5c80a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\help.jpg

Filesize
1KB

MD5
eeb13368e3d9e096287283e30e7af3f3

SHA1
4853e77ab53cf90a6eaac6f39bb18e0c36305c05

SHA256
e74723a1e7e5446b24d34fafc71699a2794e667c8040862c4c8eeb00767278da

SHA512
59b413cf110c523e5d6cce982308f4192ea080249b25d6aa961b6cf1786cc89ca98c58d55ac29a98dbbec59ff1c25bdcd3c0ed5669631ccdc8b6a2f8d79a64d2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image1.gif

Filesize
162B

MD5
2051209da422ac054c75d22f79f7058f

SHA1
5010d680d748870383277dbd8060a7f7843554e0

SHA256
f139decf4fe365b089dd693354aa903ca08ca8da1da707701594729984c02dac

SHA512
392cb115d62cd15554bfd9daf3ea4940593f7d8c27d7db3940c5815039ad07781da1e96cfcf7d06e9b8cdfd054b23746f02707cd0e38190062a94dfbb1b575cd

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif

Filesize
586B

MD5
4bce4ae8032505d3c8de0a328e1f4f42

SHA1
c8cfa9522a35d93431328cc7da0d9dcf390c61e5

SHA256
bbeb46a5c425cf151bef674f07299356b7b6a85f7b5a1669a25e3672f24ca020

SHA512
4c7efdd9316f99030de2b7864ebd7b932b1b2766c2b4bd853a25efcd2f479773ca879e22bd3aff4a024c217d0e2c8fdcf2283b5c9c8cf1482e65dc5d19ccdf13

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\requiredBang.gif

Filesize
124B

MD5
ec83760e86ce100481ea880bed7fbc18

SHA1
a88c68445af8bb454578e4263d15f49c80de1032

SHA256
1f0ca1fd7e43590abe53011c24fbaf0673b72a7b940b9faf25001658a8b6ab3d

SHA512
24316baac3a451744c574c5b7239d290bf032bb35d85fdbdc98df4d70a562b5d5209db25fb0b17bc123942259075db2041d6f88282eb1e35fd5152523b7ca8d2

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\topGradRepeat.jpg

Filesize
8KB

MD5
f5b296f9bc15d42eb4a7a61dffab2a21

SHA1
9651658dcbdb44f6509170fc03d97c5195e6aecb

SHA256
076b24c36d58481085271a751507271e4538fd6ff684cbf7c00531456cf3f6a3

SHA512
d39519a0fa236b9b093edbb8b7a7da31cd75d76c5640bd62b52bfa55bd9ae83aab0a9dff85d52a88ea463248e4b533613e0e67dc58ff78d1ac8a63b59646793e

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Images\yellowCORNER.gif

Filesize
880B

MD5
97f9e5804c5befe1813517221d0b2339

SHA1
f02c16e4402d05b68a4028c458c76d1d55e99fe7

SHA256
a65afaeac6ecc1463e2f0045f6247317e9f785a0a8751645309253972738ea7e

SHA512
5cc3d20f35dc04dc30686f6f8aacd8a8188a9951fe8f3e0ea970e05aa91e08f902200560655cb93655b8d2c877b4bf9c2016015ab659ddc6dd9d1b10292f2c39

Download Submit
memory/2660-0-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2660-8896-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2660-9119-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads